The CISA Known Exploited Vulnerabilities (KEV) catalogue, is a list of flaws that attackers are actively using in the wild. These aren’t theoretical, they’re confirmed in-use, which is why they deserve a place at the top of your patching queue.
The week ending 7 June 2026 added five new entries. That’s roughly in line with the recent 13-week average of around six per week, so nothing unusual in the volume. The severity mix, however, is worth a closer look as there is one Critical and four High, with every single one rated as actionable.
The headline issue
The standout this week is CVE-2026-45247, a deserialization of untrusted data vulnerability in Mirasvit Full Page Cache Warmer. It carries a CVSS score of 9.8.
The problem sits in how the module handles the CacheWarmer cookie. An unauthenticated attacker can supply a crafted serialized PHP object and achieve remote code execution, with no privileges and no user interaction required. Network-reachable, low complexity, full impact across confidentiality, integrity and availability. If you’re running this module, treat it as a drop-everything fix. Its CISA remediation deadline was 6 June, so it is already overdue.
The rest of the watchlist
Four more vulnerabilities rounded out the week, all rated High and all worth your attention:
-
CVE-2024-21182 (Oracle WebLogic Server): An unspecified flaw that lets an unauthenticated attacker compromise WebLogic over T3 or IIOP. CVSS 7.5, and notably it sits in the 100th percentile for modelled exploitation likelihood (EPSS), effectively the most likely of the group to be exploited.
-
CVE-2022-0492 (Linux Kernel): An improper authentication issue allowing local privilege escalation through the cgroups v1
release_agentfeature. CVSS 7.8. An older CVE, but its appearance on the KEV list is a reminder that attackers happily reach for proven techniques. -
CVE-2026-28318 (SolarWinds Serv-U): An uncontrolled resource consumption flaw. A specially crafted POST request using the
Content-Encoding: deflateheader can crash the Serv-U service without authentication. CVSS 7.5. -
CVE-2025-48595 (Android Framework): An integer overflow that can lead to local privilege escalation and code execution. CVSS 8.4.
What to do with this
Most of these are network-reachable or grant privilege escalation, several require no authentication, and four of the five are already past their CISA deadline. The Mirasvit RCE is the clear first priority, followed by the WebLogic and Android issues, then the Linux Kernel flaw, with the SolarWinds Serv-U fix close behind.
A quick caveat worth repeating: the KEV catalogue tells you what’s being exploited, not what’s present in your environment. Absence from this list is not evidence of safety, and the list itself is not a substitute for understanding your own asset inventory. The right move is always to map these CVEs against what you actually run, then patch in priority order.
If you’d like the full breakdown per-vulnerability download the complete report which is available below.
Get the full report
A complete breakdown per-vulnerability exploit mechanics, CVSS and EPSS scoring, remediation deadlines and direct links to every vendor advisory.
No sign-up required
This summary is provided for information purposes and reflects the CISA KEV catalogue as it stood for the period 1–7 June 2026. The threat landscape changes continually, so scores and deadlines may have moved since publication. Always obtain patches and guidance directly from the vendor.
If you are concerned that you may be affected by any of the vulnerabilities in this report and would like independant assurance, you can get in touch with our testing team via the contact form below.